Relying heavily on the Supreme Court’s recent Clapper decision, a federal court dismissed a class action lawsuit arising out of a “skimming” data breach against Barnes & Noble (BN). In re Barnes & Noble Pin Pad Litigation, Case # 12-cv-8617 (N.D.Ill. Sept. 3, 2013) The plaintiffs filed suit against BN following its disclosure that “skimmers” potentially stole customer credit and debit card information from 63 BN locations in nine states. The skimmers had tampered with PIN pad devices in BN stores in order to steal information from customers who used the devices to process payments. BN announced the breach to the press and on its website almost six-weeks after it became aware of the breach.
The plaintiffs filed suit against BN in federal court in Illinois, alleging damages including: untimely and inadequate notice of the breach, improper disclosure of their personally identifying information (PII), loss of privacy, expenses incurred to mitigate the increased risk of identify theft, deprivation of the value of their PII, anxiety and emotional distress. Only one plaintiff incurred a fraudulent charge on her credit card following the BN breach. Her credit card company notified her of the charge, confirmed that it was fraudulent, then cancelled the card and provided her with a replacement.
BN moved to dismiss the claim on the grounds that plaintiffs lacked Article III standing and that they failed to state a claim upon which relief can be granted. The court granted BN’s motion on standing and therefore declined to reach its failure to state a claim defense.
The court cited the fundamental principle that to establish standing, the plaintiffs had to demonstrate (1) that they suffered an injury in fact (2) that is fairly traceable to BN’s actions (3) that will likely be redressed with a favorable decision. Frequently citing the Supreme Court’s recent decision in Clapper v. Amnesty int’l USA, 133 S.Ct. 1138 (2013), the court held that the plaintiffs did not suffer an injury and rejected each of the plaintiffs’ claims.
Untimely and/or Inadequate Notification of the Security Breach
The plaintiffs claimed that the alleged delay and inadequacy of BN’s breach notification increased their risk of identify theft or fraud. The court noted, however, that “[m]erely alleging an increased risk of identity theft or fraud is insufficient to establish standing.” Quoting Clapper, the court stated: “threatened injury must be certainly impending to constitute injury in fact and … [a]legations of possible future injury are not sufficient.” The court acknowledged that, under Clapper, “substantial risk” of harm can establish standing where the plaintiff pleads and proves concrete facts showing that the defendant’s actions caused the substantial risk of harm. Because “[n]othing in the Complaint indicates Plaintiffs have suffered either a ‘certainly impending’ injury or a ‘substantial risk’ of an injury,” their claimed injuries based on BN’s allegedly defective notice did not establish standing.
The court also rejected the plaintiffs’ argument that they suffered injuries because BN’s notice violated the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA) and the Database Breach Act. “Even assuming the statutes have been violated by the delay or inadequacy of [BN’s] notification, breach of these statutes is insufficient to establish standing without any actual damages due to the breach. Plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.”
Improper Disclosure of Plaintiffs’ PII
This claim was insufficient to establish standing. “[T]here is no actual injury pled because there are no facts to support the allegations that the information was disclosed.” The fact that the plaintiffs made credit and debit card purchases at BN stores affected by the breach was too tenuous to support a reasonable inference that their data actually was stolen.
Loss of Privacy
This claim also was insufficient to establish standing because there were no facts alleged to support the conclusion that PII was disclosed.
TIme and Expenses Incurred to Mitigate the Risks of Identity Theft
Even if the plaintiffs had alleged with specificity the expenses that they allegedly incurred to mitigate their risks (which they failed to do), under Clapper, plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” The plaintiffs could not carry their burden because, as discussed above, they could not sufficiently allege the predicate that the information they were trying to protect was, in fact, stolen.
Increased Risk of Identity Theft
Because speculation of future harm does not constitute actual injury under Clapper, the court held that this claim was insufficient to establish standing.
Deprivation of the Value of Plaintiffs’ PII
The court explained that “[a]ctual injury of this sort is not established unless a plaintiff has the ability to sell his own information and a defendant sold the information.” Noting that the plaintiffs did not allege that their PII was sold or that they could sell it for value, the court held that there was no actual injury to establish standing.
Anxiety and Emotional Distress
Citing the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011), the court held that “[e]motional distress in the wake of a security breach is insufficient to establish standing, particularly in a case that does not involve an imminent threat to the information.”
Diminished Value of Products and Services
The plaintiffs claimed that they overpaid for products and services from BN because the price included security measures to protect their electronic transactions. The court found that argument unpersuasive, “particularly as Plaintiffs have not pled that BN charged a higher price for goods [when] a customer pays with credit, and therefore, that additional value is expected in the use of a credit card.”
One Plaintiffs’ Fraudulent Charge
The “only cognizable potential injury” alleged by plaintiffs was a fraudulent charge on one plaintiff’s credit card following a purchase made at BN. Even if its assumed that the fraudulent charge was due to BN’s actions or inactions, the plaintiff alleged only that she was without the use of her credit card for an unspecified period of time until she received her replacement card. However, ‘[i]n order to have suffered an actual injury, she must have had an unreimbursed charge on her credit card.” Without any such injury, “there is no actual injury and therefore, no standing.”
Noting that standing is “an indispensable part” of the plaintiffs’ case, the court ruled that there was no subject matter jurisdiction and that the complaint must be dismissed.
The court’s reliance on Clapper in this case is not surprising. Although Clapper did not involve a data breach, its ruling on speculative damages is applicable in many data breach case. Although plaintiffs may seek to limit Clapper’s application, we can expect to see data breach defendants and courts continue to rely on the Supreme Court’s reasoning to defeat data breach claims in the absence of actual, well pled damages.